$ whoami

Ben RobertsI currently work as a systems administrator for GSA Capital, managing Unix, Linux and Windows systems and providing IT support. I rely heavily on automation and open source technologies in my daily activities.

I previously worked as a Network Projects engineer for Atos in the Major Projects division. My role included design and implementation of LAN and WAN systems in Data Centre environments. My last project involved working on a major internal infrastructure overhaul spanning five sites for which I produced all the physical layer design and implementation.

Before then, I worked for Netcraft in Bath, while taking a year out from my degree studies. My roles included developing and running the SSL Server Survey, reviewing Automated Vulnerability Scan results, and performing occasional penetration tests against web applications for financial institutions.

I am a former graudate of ECS (University of Southampton), earning a First in Computer Science with Distributed Systems and Networks to the Masters level.

In my spare time, I am a member of the Sabayon Linux developers group, where I help maintain the Sabayon Community Repositories, help look after the project infrastructure, maintain the puppet-sabayon module, and dabble with package maintenance.

You can contact me via me@benroberts.net.

Recent Posts

vCenter OIDC authentication using KeyCloak

Posted on by Ben Roberts
Reply

VMWare vCenter 7 adds support for OIDC single-sign on. Officially only ADFS is supported, but with some tweaks, KeyCloak can be used instead. The changes necessary to trick vCenter into accepting KeyCloak as an IDP are:

  • Include a domain claim matching the vCenter SSO domain
  • Override the sub claim to be the plain username

The process is described in more detail on my wiki here: http://dokuwiki.sihnon.net/vmware#oidc_sso_authentication_via_keycloak

The vCenter UI decides whether to use local SSO or OIDC by having you type in the username into the vCenter login form, and matching the domain part against the configured authentication domains. Unfortunately this means typing in the username twice, once fully qualified on the vCenter login form, and then again in the IDP login form.

Using OIDC for logging into vCenter can save entering the password as often, and the IDP supports 2FA, then this is used for the login to vCenter which is a nice security improvement. KeyCloak supports both TOTP codes, and FIDO U2F as the second factor, meaning it support Yubikeys and Krypton.

While setting this up, the /var/log/vmware/sso/tokenservice.log logfile on the vCenter host is helpful for troubleshooting the login process. It will show the data extracted fro the JWT claim, which can be used to confirm the username and domain claims are being set correctly

  1. ZFS testing on Sabayon Leave a reply
  2. Going Paperless: Revisited Leave a reply
  3. Managing volume usage in Bacula 5 Replies
  4. Puppet custom type validation woes Leave a reply
  5. puppet-sabayon Leave a reply
  6. Going Paperless 2 Replies
  7. Removing stale facts from PuppetDB 4 Replies
  8. Setting up hiera-eyaml-gpg 1 Reply
  9. ZFS on Sabayon Leave a reply